** Description changed: On 18.04 with bind9/bionic-updates,bionic-proposed,now 1:9.11.3+dfsg- 1ubuntu1.9 + + This prevents Certbot Let's Encrypt validation and therefore certificate + issuance when the zone is configured to use NSEC3. + + NSEC3 is valuable in preventing DNSSEC NSEC zone walking to discover all + RR records in the zone. Where a zone file has DNSSEC enabled and an NSEC3PARAM record is added to the already-signed zone file: example.com. IN NSEC3PARAM ( 1 0 10 16 0d95646237ae38bc ) - an attempt to re-sign the zone file fails with: - dnssec-signzone -o example.com example.com.hosts + dnssec-signzone -o example.com example.com.hosts dnssec-signzone: error: dns_rdata_fromtext: example.com.hosts:165: near '0d95646237ae38bc': extra input text dnssec-signzone: fatal: failed loading zone from 'example.com.hosts': extra input text This seems related to upstream report "Problems signing a zone that already contains an NSEC3PARAM" https://gitlab.isc.org/isc-projects/bind9/issues/953
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842939 Title: dnssec-signzone: error when NSEC3PARAM record exists To manage notifications about this bug go to: https://bugs.launchpad.net/bind/+bug/1842939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs